Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

heap-buffer-overflow write in form_update_line() #82

Closed
kcwu opened this issue Dec 11, 2016 · 5 comments
Closed

heap-buffer-overflow write in form_update_line() #82

kcwu opened this issue Dec 11, 2016 · 5 comments

Comments

@kcwu
Copy link
Contributor

kcwu commented Dec 11, 2016

input (xxd cases/tats-w3m-82)

00000000: 3c6d 6574 6120 6368 6172 7365 743d 6370  <meta charset=cp
00000010: 3934 393e 3c74 6162 6c65 2077 6964 7468  949><table width
00000020: 3d31 3230 3e30 3030 3030 3030 303c 7464  =120>00000000<td
00000030: 3e3c 7469 746c 653e 3c78 6d70 3e3c 626f  ><title><xmp><bo
00000040: 6479 3e3c 7461 626c 653e 3030 3030 3c2f  dy><table>0000</
00000050: 696e 7465 726e 616c 3e30 3030 0a30 3030  internal>000.000
00000060: 3030 303d 3030 3030 3030 0630 3030 3030  000=000000.00000
00000070: 303c 7464 3e30 3030 3030 a74d 3030 3030  0<td>00000.M0000
00000080: 3060 3030 3030 3006 3030 3030 3030 a730  0`00000.000000.0
00000090: 3030 3030 3000 3e30 3030 3030 3000 3030  00000.>000000.00
000000a0: 3e30 3030 3020 3030 3030 3030 9130 3030  >0000 000000.000
000000b0: 3030 303d 3030 3030 3030 9b30 3030 3030  000=000000.00000
000000c0: 309b 3030 3030 3030 9b3c 696e 7465 726e  0.000000.<intern
000000d0: 616c 3e3c 7465 7874 6172 6561 2072 6f77  al><textarea row
000000e0: 733d 3232 3e3c 7462 6f64 793e 308a 3030  s=22><tbody>0.00
000000f0: 3030 3030 ff30 3030 3090 9030 3030 3030  0000.0000..00000
00000100: 2030                                      0

how to reproduce:

ASAN_OPTIONS=abort_on_error=1:detect_leaks=0 LD_LIBRARY_PATH=./notgc ./w3m-tats.asan -T text/html -dump cases/tats-w3m-82

stderr:

=================================================================
==3131837==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x604000002b76 at pc 0x000000466e3a bp 0x7ffe26ef0cb0 sp 0x7ffe26ef0460
WRITE of size 6 at 0x604000002b76 thread T0
    #0 0x466e39 in memmove /home/kcwu/clang/llvm/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:451
    #1 0x653ba2 in form_update_line /targets/w3m-tats/form.c:407:5
    #2 0x650ca6 in formUpdateBuffer /targets/w3m-tats/form.c:497:12
    #3 0x651f8a in formResetBuffer /targets/w3m-tats/form.c:272:2
    #4 0x57c038 in loadHTMLBuffer /targets/w3m-tats/file.c:6800:2
    #5 0x57f0a4 in loadSomething /targets/w3m-tats/file.c:224:16
    #6 0x573833 in loadGeneralFile /targets/w3m-tats/file.c:2241:6
    #7 0x51967c in main /targets/w3m-tats/main.c:1017:12
    #8 0x7f83a5110f44 in __libc_start_main /build/eglibc-oGUzwX/eglibc-2.19/csu/libc-start.c:287
    #9 0x41cf6b in _start (/w3m-tats.asan+0x41cf6b)

0x604000002b76 is located 0 bytes to the right of 38-byte region [0x604000002b50,0x604000002b76)
allocated by thread T0 here:
    #0 0x4e035d in calloc /home/kcwu/clang/llvm/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:72
    #1 0x7f83a685eb05 in GC_malloc /notgc/notgc.c:259
    #2 0x650ca6 in formUpdateBuffer /targets/w3m-tats/form.c:497:12
    #3 0x651f8a in formResetBuffer /targets/w3m-tats/form.c:272:2
    #4 0x57c038 in loadHTMLBuffer /targets/w3m-tats/file.c:6800:2
    #5 0x57f0a4 in loadSomething /targets/w3m-tats/file.c:224:16
    #6 0x573833 in loadGeneralFile /targets/w3m-tats/file.c:2241:6
    #7 0x51967c in main /targets/w3m-tats/main.c:1017:12
    #8 0x7f83a5110f44 in __libc_start_main /build/eglibc-oGUzwX/eglibc-2.19/csu/libc-start.c:287

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/kcwu/clang/llvm/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:451 in memmove
Shadow bytes around the buggy address:
  0x0c087fff8510: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 fa
  0x0c087fff8520: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 fa
  0x0c087fff8530: fa fa 00 00 00 00 06 fa fa fa 00 00 00 00 00 06
  0x0c087fff8540: fa fa 00 00 00 00 00 04 fa fa 00 00 00 00 00 02
  0x0c087fff8550: fa fa 00 00 00 00 00 04 fa fa 00 00 00 00 04 fa
=>0x0c087fff8560: fa fa 00 00 00 00 00 04 fa fa 00 00 00 00[06]fa
  0x0c087fff8570: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff8580: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff8590: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff85a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff85b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==3131837==ABORTING

This is detected with help of dummy libgc wrapper. See http://github.com/kcwu/fuzzing-w3m/notgc for detail.
More detail to reproduce please see http://github.com/kcwu/fuzzing-w3m

For your convenience,
gdbline:
LD_LIBRARY_PATH=./notgc ASAN_OPTIONS=abort_on_error=1:detect_leaks=0 gdb --args ./w3m-tats.asan -T text/html -dump cases/tats-w3m-82

this is found by afl-fuzz
@kcwu
Copy link
Contributor Author

kcwu commented Dec 11, 2016

p.s. this is detected by ASan with my patch.

@kcwu
Copy link
Contributor Author

kcwu commented Dec 11, 2016

form.c

324         prop = New_N(Lineprop, len);
...
407         bcopy((void *)&line->propBuf[epos], (void *)&prop[pos],
408               (line->len - epos) * sizeof(Lineprop));

where pos=17, line->len=21, epos=18, sizeof(Lineprop)=2.
In order words, bcopy() write to prop[17,18,19] but prop is allocated with size len=19.

tats added a commit that referenced this issue Dec 13, 2016
@tats
Preserve one byte for end of string character in form_update_line()
a4152aa 
Bug-Debian: #82
cf. #68 (comment)
@tats
Copy link
Owner

tats commented Dec 13, 2016

Fixed, thank you.

@tats tats closed this as completed Dec 13, 2016
@tats tats mentioned this issue Dec 13, 2016
Closed
@tats
Copy link
Owner

tats commented Dec 20, 2016

Reverted the commit a4152aa

I'll reconsider this issue.

@tats tats reopened this Dec 20, 2016
tats added a commit that referenced this issue Dec 24, 2016
@tats
Prevent invalid form_update_line() call in formUpdateBuffer()
dc32152 
Bug-Debian: #82
@tats
Copy link
Owner

tats commented Dec 24, 2016

Fixed again.

@tats tats closed this as completed Dec 24, 2016
tats added a commit that referenced this issue May 5, 2017
@tats
Fix multiple vulnerabilities (closes: #850432)
d73f74e 
- New patch 934_menu.patch to fix buffer overflow (#49)
- New patch 935_shiftanchor.patch to fix buffer overflow (#62)
- New patch 936_metarefresh.patch to fix buffer overflow (#63)
- New patch 937_lineproc0.patch to fix buffer overflow (#67)
- New patch 938_lineproc2body.patch to fix buffer overflow (#61)
- New patch 939_textarea.patch to fix buffer overflow (#58)
- New patch 940_tabattr.patch to fix buffer overflow (#60)
- New patch 941_integeredwidth.patch to fix buffer overflow (#70)
- New patch 942_tridvalue.patch to fix buffer overflow (#71)
- New patch 943_pushlink.patch to fix buffer overflow (#64, #66)
- New patch 944_lineproc0.patch to fix use after free (#65)
- New patch 945_wtfstrwidth.patch to fix buffer overflow (#57)
- New patch 946_strnewsize.patch to fix buffer overflow (#72)
- New patch 947_realcolumn.patch to fix buffer overflow (#69)
- New patch 948_getmclen.patch to fix buffer overflow
  (#59, #73, #74, #75, #76, #78, #79, #80, #83, #84)
- New patch 949_wtftowcs.patch to fix buffer overflow (#77)
- New patch 950_textarea.patch to fix infinite loop (#85)
- New patch 951_lineproc0.patch to fix use after free (#81)
- New patch 952_formupdatebuffer.patch to fix buffer overflow (#82)
- New patch 953_formupdateline.patch to fix buffer overflow
  (#68#issuecomment-266214643)
- New patch 954_wtfparse1.patch to fix buffer overflow (#68)
tats added a commit that referenced this issue May 5, 2017
@tats
Prevent invalid form_update_line() call in formUpdateBuffer()
4573b9d 
Bug-Debian: #82
Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=dc32152dc051923e322fc251aaa2dbd5e54c0fbf
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@kcwu @tats